Packets on the Rise

Saturday, 2006-09-02; 23:37:00

Packet sniffing the data that iWeb sends to the .mac servers when using the commenting system

Today my friend and I spent some more time to figure out this whole .mac commenting thing. After poking around in the JavaScript files some more, duplicating the Add A Comment page and trying to force comments through the system, I finally went back to the most promising place to get more clues -- packet sniffing.

As I said yesterday, the packet sniffing I did via tcpdump wasn't that helpful. It did indicate that something else was going on, though. Instead of tcpdump, this time I went for Ethereal (I installed it via Fink and FinkCommander, which worked flawlessly).

This time, I was much more successful. Instead of the gibberish, Ethereal gave me some useful stuff to work with. (It's possible that tcpdump does the same, and I just don't know how to use it.) The first thing that caught my eye was this:

So I now had the full URL to the application ( http://www.mac.com/WebObjects/WSComments.woa/xmlrpc ) that was taking requests, and I had the structure of one of the requests. Ethereal said it was XML over HTTP, so my first thought was to construct a web form that would be able to submit the proper XML to the server. But I didn't know how to exactly send the data in the proper format -- do I send it all as text, using what kind of input HTML tag? Obviously my first few tries didn't work out so well. The app kept giving me back a "faultStringorg.apache.xmlrpc.ParseFailedfaultCode0" failure. No good.

I went back to Ethereal and noted that there were multiple calls to this application. Even before, when I had used tcpdump, there were 5 separate instances where the WSComments URL showed up. Looking back at the specific XML requests in Ethereal showed a few more things that were happening in iWeb. Here are the relevant sections, stripping out the gook

There are 5 separate calls to the xmlrpc application. The first calls the "comment.setCommentPropertiesForResources" method, the second "comment.indexComments", the third "comment.terminateSession", the fourth "comment.changeTagForComments", and the last is "comment.commentIdentifiersSinceChangeTag". These are clearly the methods that manipulate comments inside the system, which means that I'm going to have to replicate these XML calls that iWeb does if I want to use the .mac commenting system -- which means that I'll have to run an AppleScript manually after I publish each time to tell .mac that there's a new entry at a certain URL, assuming that I do end up using the .mac commenting system.

My friend was fiendishly sending me various URLs throughout this whole ordeal. Earlier, he had given me some links to help figure out how to structure a web form that would submit the proper URL. But then he sent me this URL from Apple's developer documentation. Sweet! A way to send XML requests via AppleScript! My favorite!

Using the raw XML requests above, we quickly created this AppleScript that replicates all five XML requests in succession:

There are two small problems. One: "visible" is a special word in the AppleScript language, so instead of sending the word "visible" as a name of a member in the struct of the XML request, it modifies it so that the name is "pvis" and moving that member of the struct to the top, rather than in second position where it should be.

First question: is there a way to escape special words in the AppleScript language? There's this message on the Apple mailing list that suggests there's a different way to get the name "visible" into an XML request, but I'm not exactly sure what the solution means and/or how to use it in an AppleScript. Can anybody offer a little help?

Regardless of this problem, there's another more fundamental problem. When running this AppleScript, I get an "org.apache.xmlrpc.XmlRpcException: Session not found. Re-authenticate" error. This implies that there needs to be some authentication to the mac.com server first. And indeed, looking back in the packet sniffing record, these packets appear right before the first request to the xmlrpc application:

These look like a secure authentication request over the HTTP protocol to me.

Second question(s): Where is the authentication request sent, and what authentication credentials does it send? My .mac username and password? And how do subsequent xmlrpc calls use the result of that authentication request so that the WSComments.woa WebObjects application doesn't refuse their calls? Is there a way to sniff even these packets to get at that data? Can I use AppleScript to execute the authentication request?

Gah. So close, it seems. Just an https and a stupid AppleScript word away from being able to use .mac commenting outside of iWeb.